Enterprise governance, risk, and compliance (GRC) tools have become indispensable to organizations. Maybe you acquired your GRC tool for one initiative such as Sarbanes-Oxley (SOX) or International Standard for Organization (ISO) compliance management.
But they can do so much more. The value is not limited to one function. Don’t underestimate your investment. GRC tools have the ability to handle multiple missions in one integrated platform.
This article is not a call to arms to buy more or different GRC tools. It’s about getting the most out of what, in all likelihood, you have already bought and paid for. And that means thinking broader, more strategically, and holistically.
A good way to start is by asking a few fundamental questions:
- What’s “inbound” for my GRC tools?
- Have we pushed it to its performance limits?
- Have we pushed ourselves to our limits in thinking about the potential of these tools?”
Sometimes a particular regulatory compliance requirement needs to be fulfilled, and that is the sweet spot of GRC platforms. Maybe it is GRC requirements around SOX or internal audit or the Statements on Standards for Attestation Engagements (SSAE 16).
For government organizations, the GRC requirement may come from the Federal Information Security Management Act. Hospitals use GRC platforms to address Health Insurance Portability and Accountability Act requirements around patient information and privacy. And these platforms perform superbly, but they are versatile.
GRC platforms reach across domains and even across national boundaries when dealing with best practices provided from the ISO 3100 on risk management and the information technology (IT) and computer security standards from Information Systems Audit and Control Association’s (ISACA) COBIT standard. Companies doing business overseas will also use GRC platforms to document their obligations under the Foreign Corrupt Practices Act, as well as voluntary compliance with the UN Global Compact and the post-9/11 requirements of the Customs-Trade Partnership Against Terrorism.
As you can see, the world is growing in complexity, and it’s being matched by a growing body of rules and regulations. And while all of these regulations, acts, and mandates have specific and unique requirements, the general protocol for managing GRC compliance is fairly similar across all verticals.
The generic concept for GRC platforms is six core functions surrounding one integrated framework, with these functions rolled up and summarized into an executive/program management overview.
- Regulatory alerts
- Issues and remediation
- Certification and filing
- Testing and assessment
- Reports review and approval
Managers must be able to see what is happening, to observe what is going on before they can hope to understand the significance of events, make informed decisions, and take action.
Surprise, unfortunately, is a hallmark of today’s GRC environment. And when it comes to GRC, surprise is not good. In general, GRC platforms make automatic and instantaneously visible what may otherwise drop through the cracks due to human error.
It is probably unnecessary to go into detail with all of the above functions. But documentation is a good one to highlight. So much of GRC rests on having the appropriate documentation available when needed. What are the policies? When were they reviewed? Who signed off on them? Who was involved in the decision? When they were last updated? How were they tested? What reports were made? Where are they? And a critical but generic question: Can we see them?
The odds are that if you currently have a well-managed GRC system, you will be able to answer with ease these and more detailed questions. But is that the case with all your GRC areas, especially those that were not top of mind when the current system was purchased and implemented?
If the answer is not clear, perhaps there is an imbalance, overall, in GRC management. And it can likely be rectified within the scope of your current GRC platform.
Here’s a quick list, not in any particular order, of things to consider when looking at deriving the most from your current GRC platform.
- Roadmap exercise: Analyzing the requirements around GRC across the organization. It can also be a mapping exercise a bit less grandiose in scope. Ultimately it depends on your circumstances. Consider taking small steps.
- GRC technology workshops: Educating your colleagues on the needs and benefits of GRC automation through workshops. This tends to be an eye-opener for many executives.
- GRC technology business cases: The business cases for GRC automation is often a necessary fact of life. Is there an economic case for expanding the scope of current GRC applications? The answer might surprise a lot of sceptics, especially if the initial investment has already been made.
These exercises inform and educate while simultaneously exploring possibilities to achieve economies and incremental gains through previous investments in both technology and process improvement. To illustrate, here are some brief examples, or case studies if you will.
Case Study 1: Integration on a broad front
A client was using a popular GRC platform and was satisfied with the results but recognized the need to integrate across the compliance, risk, business continuity, and IT security landscapes. The client also wanted to reengineer the existing applications and processes to take advantage of new features.
The foundational activities included setting up a GRC governance structure, identifying stakeholders, and conducting an educational workshop to show the client the capabilities and potential gains of participating in a GRC integration, developing a road map that showed what could be accomplished in a three-year period.
The benefits included one integrated tool-based platform from which to manage GRC. The increased automation included automatic notifications for reviews as well as a mechanism for escalating unresolved issues. It provided a single repository of information related to the different governance, risk, and compliance processes. It also provided easier linking of information between different processes. Dashboards were used to aggregate process information at various levels, by process level, region, and enterprise.
Case Study 2: Complex, disparate environment
A client had a complex environment with a number of “divisions” and a number of audit requirements. The client needed to prepare control owners to be “audit ready” for multiple audits such as ISO27001, PCI, FISMA, SOX and SSAE-16. The client also needed to make sure that all core audit requirements were appropriately mapped to control activities with supporting evidence and documentation.
The foundational activities included: setting up a GRC governance structure; designing a consolidated control framework that aligned security policy to compliance requirements; creating a master set of controls to satisfy audit requirements; creating compliance assertion documentation; and a compliance audit preparation training curriculum.
Among other benefits achieved was increased internal audit coverage while reducing the number of controls by 68% in the first year and 30% in the second year.
GRC-specific platforms are not limited to compliance in a single regulatory area. There is life after SOX, and it includes IT security, compliance with privacy regulations, and even fraud and waste in the global supply chain. Benefits are derived from better management of risk and more transparent and complete documentation of policies, processes, and procedures — not to mention a possible net reduction in controls.
GRC tools enable you to think like an innovator. You don’t need to spend more money to get value. It is easier and less risky to build on what you already have.
About the Author
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.
- Assisting our clients to optimize their risk and internal control activities, including SOX readiness/optimization activities, through assessing the effectiveness of internal controls, ensuring alignment with the organizations business objectives and risks and using control activities to drive process improvement and enhanced business value
- Custom developing and deploying solutions for clients to facilitate various processes not captured in the core ERP environments.
- Ensuring IT is aligned to organizational strategy, responsive to a changing business climate, with clearly defined policies and procedures that take into account legal and regulatory compliance requirements
- Enhancing the process of developing robust controls around pre- and post-implementation system reviews through a clearly defined project management methodology that emphasizes the importance of benefits management
- Performing third-party and other opinion-level services in response to service organization requests from customers for information about internal controls or requests for access to audit (generally in accordance with contractual agreements)
- Assisting ERP clients to optimize and sustain a real-time controls environment at an enterprise level. We evaluate the effectiveness of current controls and develop a plan to rationalize financial and operationally significant controls. We subsequently design and implement a full range of simplified, standardized controls within core business applications that enables the company to document, monitor and continuously assess the effectiveness of those controls in a real-time environment